Stop Treating Table Top Exercises Like Compliance Checkboxes

TLDR: Most organizations treat table top exercises (TTX) as a boring, annual compliance requirement, missing the chance to actually stress-test their incident response (IR) capabilities. By moving away from rigid, scripted scenarios and embracing an exploratory, participant-driven approach, security teams can identify real-world gaps in their detection and response workflows. This post breaks down how to run a high-impact TTX that actually prepares your team for a real breach rather than just checking a box for an auditor.

Security teams often view table top exercises as a necessary evil. They are scheduled, the C-suite shows up for an hour, someone reads a script about a hypothetical ransomware attack, and everyone goes back to their desks feeling like they have "done security." This is a massive waste of time. If your exercise doesn't make your team sweat, you aren't doing it right. A real TTX should be a high-fidelity simulation that forces your IR team to confront the reality of their current toolsets, communication channels, and technical blind spots.

The Problem with Scripted Exercises

Most organizations fall into the trap of using overly rigid, linear scenarios. They follow a pre-written path: "The attacker phishes a user, they get domain admin, they encrypt the files, and we restore from backups." This is a fairy tale. Real incidents are messy. They involve misconfigured cloud services, missing logs, and internal politics that grind response efforts to a halt.

If you are a pentester or a researcher, you know that the most interesting part of an engagement is the pivot—the moment you realize your initial assumption was wrong and you have to find a new way in. Your TTX should mirror this. Use tools like Backdoors and Breaches, a card game that introduces randomness and specific attack vectors into the discussion. It forces participants to think on their feet rather than reciting a pre-approved response plan.

Facilitation as a Technical Skill

The facilitator is the most important person in the room. They are the Dungeon Master of the incident. If the team is too comfortable, the facilitator needs to introduce a complication. If the team is getting bogged down in the weeds of a specific firewall rule, the facilitator needs to pull them back to the high-level objective.

One of the most effective techniques is to push back on "easy" answers. When a participant says, "We would just pull the logs from the SIEM," the facilitator should ask, "What if those logs aren't there? What if the attacker cleared them or the ingestion pipeline failed?" This forces the team to identify dependencies they didn't know they had.

When running these, follow the CISA Tabletop Exercise Package (CTEP) framework. It provides a solid foundation for scoping, documentation, and post-exercise reporting. However, do not let the framework become the exercise. The goal is to identify where your process breaks, not to prove that your process is perfect.

Identifying Real-World Gaps

During a recent exercise, I watched a team struggle because they assumed their VPN logs would show the attacker's source IP. When we simulated a scenario where the attacker used a compromised session token instead of a password, the team realized their current logging didn't capture the necessary metadata to track that activity. That is a finding worth its weight in gold.

If you are a pentester, you can use these exercises to demonstrate the impact of your findings. Instead of just handing over a report that says "you are vulnerable to T1566.002," walk the client through a TTX where that specific technique is the entry point. Show them how the incident unfolds, where they lose visibility, and why their current response plan fails to contain the threat. This is far more persuasive than any slide deck.

The Importance of Diverse Participation

Do not limit your TTX to the security team. Bring in the developers, the sysadmins, the help desk, and even legal. When a breach happens, these are the people who will be in the room. If the security team has a perfect plan but the sysadmins don't know how to isolate a host without breaking production, the plan is useless.

The most effective exercises are those where the participants realize they are not on the same page. Maybe the security team thinks they have full visibility into the cloud environment, but the DevOps team has been spinning up resources that aren't being monitored. These are the "aha!" moments that actually improve your security posture.

Moving Beyond the Script

If you want to make your next exercise useful, stop trying to prove you are secure. Start trying to break your own processes. If you are a researcher, look for the gaps in the OWASP Top 10 and build a scenario around them. If you are a defender, look at your most recent incident and build a scenario that explores what could have gone wrong if the attacker had been just a little bit smarter.

The value of a TTX isn't in the final report. It is in the conversation that happens when the team realizes they don't have the answer. That discomfort is where the learning happens. If you walk out of the room feeling like you have a lot of work to do, you have succeeded. If you walk out feeling like everything is under control, you have failed. Keep the pressure on, keep the scenarios realistic, and keep the focus on the gaps that matter.